hp-security-research-cyber-risk-report-pdf-2-w-1408

HP Security Research | Cyber Risk Report 2015MozartThe Mozart track 1 and track 2 data recognition routine is more sophisticated than that used bythe other POS malware. Of note, it does not buffer any data before attempting to match trackseparators. While malware such as BlackPOS buffers data and uses CPU cycles to find possiblenumber patterns, Mozart checks the validity of track 1 and 2 data heuristically after it finds thetrack separators. Mozart is also able to recognize a broader range of character types in bothdata tracks than our other two examples, making it not only more efficient computationally, butgiving it a broader application and possibly higher success rate.Mozart also uses some additional verification mechanisms of interest. It checks the cardissuer identification number after it gathers possible track records, then it utilizes the Luhnalgorithm 132 to check that the numbers it captured were potentially valid card numbers. Not onlydoes this effort decrease the number of false positives, it decreases the size of the log file.Track data managementWhile Mozart might be the best example of efficient targeting of track data, BlackPOS standsout for its track data management. Many POS malware types simply save the track recordsthey capture direct to the file system. However, BlackPOS maintains a binary tree data structureof the track record in memory so that it can quickly check if the record has been collectedpreviously. This has a few advantages. By removing duplicate records, it can reduce the size ofthe track record log file. With a smaller footprint on the network, it has a better chance to avoiddetection. Storage is usually minimal on POS systems and by saving on local hard disk storage,BlackPOS can save more track records. In contrast, POS malware like Dexter uses a simplefunction, StrStrA, to find duplicate track records: A binary tree data structure is a lot faster thanjust using a StrStrA string matching function when it comes to performance.Interestingly, while Mozart was responsible for the theft of 56 million credit and debit cardnumbers, it doesn’t contain any data management functionality; it simply saves every trackentry it encounters while RAM scraping.Data exfiltrationOnce the financial data is captured, it needs to be transported from the affected system so itcan be sold or otherwise used for fraud. Usually, this step of data exfiltration is not directlyperformed by the POS malware. As with other modern malware, POS malware is often modularand while it performs RAM scraping and saves the data to a log file on a local system or remoteUNC location, different modules are responsible for uploading those log files to the attacker.That setup is common and was used in recently reported breaches, including those at Targetand Home Depot.Both Mozart and BlackPOS use very similar schemes for uploading log files. They both usea specific time frame to initiate a network operation to copy the files when the traffic willlook least suspicious, and they both use Windows sharing to push the log files to a centrallocation inside the compromised network. The most likely reason for this is that the infectedPOS machine itself might not have an Internet connection; therefore, the data needs to betransported to a location that does. From there, another component pushes the data outsideof the network to machines under the attacker’s control. BlackPOS is known to use an FTPprogram to upload its log files.132http://www.creditcards.com/credit-cardnews/luhn-formula-credit-card-numbersystem-1273.php.44